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Introduction 


We  normally  distinguish  between  twj  classes  of  algorithms : 
deterministic  algorithms  and  non-deterministic  algorithms.  A  deterministic 
algorithm  defines  a  single -valued  (partial)  function,  while  a  non- 
deterministic  algorithm  defines  a  many-valued  function.  Tnerefore, 
while  there  are  only  few  properties  of  interest  (mainly,  termination, 
partial  correctness,  total  correctness,  partial  equivalence,  equivalence 
and  total  equivalence)  for  deterministic  algorithms,  there  are  many  more 
(including  partial  deteminacy,  total  determinacy  and  several  additional 
varieties  jf  termination,  correctness  and  equivalence)  for  non-deterministic 
algorithms . 

Several  works  have  recently  formalized  properties  of  algorithms  in 
first-order  predicate  calculus  (see  Manna  [8]).  The  importance  of  such 
formalization  is  clear  considering  the  current  power  of  mechanical 
theorem  proving  technqiues,  which  hopefully  will  be  further  improved  in 
the  next  few  years.  Unfortunately  there  are  properties  (such  as 
equivalence)  that  cannot  be  formalized  by  a  first-order  formula;  however, 
they  can  be  formalized  by  a  second-order  formula  (see  Cooper  [U]). 

In  this  work  we  show  that  for  any  given  algorithm,  it  is  always 
possible  to  formalize  all  its  properties  by  second-order  formulas,  if 
one  knows  how  to  formalize  its  'partial  correctness'  by  a  second-order 
formula . 

This  result  is  of  special  interest  since  'partial  correctness'  has 
already  been  formalized  for  many  classes  of  deterministic  algorithms,  such 
as  flowchart  programs  (Floyd  [6]  and  Manna  [7]),  functional  programs 
(Manna  and  Pnueli  [10]),  and  Algol-like  programs  (Ashcroft  [1]  and  Burstall  [>]); 
and  also  for  certain  classes  of  non-deterministic  algorithms,  such  as  non- 
deterministic  programs  (Manna  [9])  and  parallel  programs  (Ashcroft  and  Manna  [2]) . 

Papers  closely  related  to  this  work  are  those  of  Cooper  [5]  and  Park  [11]. 


1 


I. 


PARTIAL  FUNCTIONS 


Let  y  =  f(x)  be  a  partial  function  mapping  Dv  (called  the 
input  domain)  into  (called  the  output  domain ) .  That  it,  for  every 

|eDx  ,  f(£)  is  either  defined  (notation:  *f(|))  or  undefined. 

A  function  that  is  defined  for  all  values  of  its  input  domain  is  called 
total.  A  function  whose  output  domain  is  (true,  false),  (T,7)  for 
short,  is  called  predicate. 

Basic  definitions 

Let  ty(x,y)  be  a  total  predicate  over  x D  and  let  £eDx  .  We 
say  that 

l.(a)  f(|)  is  partially  correct  w.r.t. _ jr  if  *f(|)  3  ^(|,f(|))  ; 

(b)  f(g)  is  totally  correct  w.r.t.  if  *f(|)  A  V(£,f(0)  • 

Let  y  =  f^(x)  and  y  =  f  (x)  te  any  two  corr>Parat>le  partial  functions, 

1. e.,  partial  functions  with  the  same  input  domain  and  the  same  output 

domain  D  .  We  say  that 

y 

2.  (a)  f^(|)  and  f^(|)  are  partially  equivalent  if 

*^(1)  A  *f2(|)  3  ^(6)  =  f2(|)  ; 

(b)  f^(|)  is  an  extension  of  f2(|)  if 

*f2d)  =5  [*fx(6)  A  fjU)  =  f2(S)  ]  ; 

(c)  f^(|)  and  f0(|)  are  equivalent  if 

1*^(1)  =  *f2U)]  A  [*^(6)  A  *f2(0  3  f-j!)  =  f2(i)]  ; 

(d)  f^(|)  and  f0(|)  are  totally  equivalent  if 

*^(6)  A  *f2(|)  A  f^D  =  f2(i)  . 

^  Throughout  the  paper  we  are  assuming  that  the  connectives  have  the 
following  precedence:  ~  ,  A  ,  V  ,  3  and  =  .  Thus  is  more 

binding  than  *a',  'A*  is  more  binding  than  ’  v* ,  and  so  on. 
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Let  y,  f  ,  ...,y  =  f  x  )  be  partial  functions  with  input 

1  1  1  n  n  n 

domains  Dv  ,  ...,Dv  and  output  domains  D^r  ,  ...,D^  ,  respectively. 


"1 


n 


n 


Let  ( x. .  V, »  • .  • ,  x  ,y  )  te  any  total  predicate  over  D  xD  x  ...  xD 

11  n'  n  ‘  ^  x,  y,  x 

11  n 

We  say  that: 

3»(a)  f  fn(?)  are  partially  correct  w.r.s.  t  if 

*Vb>  A  •••  A  'W  > 

(b)  f,('  f  (|  )  are  totally  correct  w.r.t.  if 

v  11  n  n _ _ 

A  ...  a  -fnUn)  A  In,fn(6n))  . 


For  k  •=  1  we  obtain  properties  1(a)  and  l(t)  as  special  cases 
of  properties  5(a)  and  3(b),  respectively.  Note  that  the  case  k  =  2 
and  f^  is  identical  to  f^  ,  can  be  used  to  define  some  properties  of 
a  single  function  which  cannot  be  defined  by  1(a)  or  1(b). 

For  example,  the  property  that  a  function  f  mapping  integers 
into  integers  is  defined  and  monotonically  increasing  (i.e., 
i  >|*  3  f(|)  >  f(|'))  ,  is  exactly  the  case  where  the  functions  f 
and  f'  (where  f  is  identical  to  f)  are  correct  w.r.t. 

^(x,y,x»,y')  :  x  >  x'  o  y  >  y»  . 

For  k  =  2  and  <f(x  ,yx,x2,y2)  :  x1  =  xg  o  y^^  =  yg  we  obtain 
properties  2(a)  and  2(d)  as  special  cases  of  ?(a)  and  3(b),  respectively. 


The  formalization 


Suppose  that  we  can  f  innalize  the  property  of  f  being  partially 

2 / 

correct  by  a  second-order  formula  w'x,q)  in  the  following  cense: 

For  every  PcD  and  for  every  predicate  y)  over  D„  xD  : 

- £ - 1...,  X 

w(£,ilr)  if  and  only  if  l,f(-)  3  ^(E,f(P))  . 

I.e.,  w(  ? , t')  is  true  if  and  only  if  either  f(|)  is  undefined,  or 
f(£)  is  defined  and  \>ff,f,'|))  is  true. 

Note  that  the  following  two  properties  of  w(x, q)  are  always  true. 
For  every  |rD  :  i)  W'(*,T)  and  therefore  -cw  f,q)  ,  and 

(ii)  ~  *f(|)  3  Vqw(|,q)  . 


Theorem  1 

0.  f(|)  is  defined  if  and  only  if  ~w  *,7)  ; 

1. (a)  f(|)  is  partially  correct  w.r.t.  v  if  and  only  if  w(£,ty)  ; 

(b)  f(|)  is  totally  correct  w.r.t.  >i'  if  and  only  if  ~w(*,  ~v)  ; 

2.  (a)  f  f|)  and  f^(0  arc  partially  equivalent  if  and  only  if 

vqlw1(|,q)  V  wr  ~q)  ; 

(b)  f  (|)  j.z  an  extension  of  f  (|)  if  ant*  cn^r  if 

Vq[w1(|,q)  3  w,  f,q  : 

(c)  f^(|)  and  f„  i )  are  equivalent  if  and  only  if 

Vq[w1(|,q)  =  w,  e,q)  : 

(d)  f^(|)  a.nc.  f0(*)  are  totally  equivalent  if  and  only  if 

Va[~w1^,q)  V  ~  w  e,  ~q)  ? 

^  We  write  w(x,q)  to  indicate  that  the  wff  w  has  no  free  variables 
except  the  individual  variable  x  and  the  predicate  variable  q  . 

1* 


>.  a)  f^  £^),...,f(  5  are  partially  correct  w.r.t.  ''j  if  and  only  if 
3q1...1qn(*1  A  ...  A  »n(t„, q„)  A 

VV..V,!1[q1f»i,1i1)A...Aqn(tn,iin) 

(b)  f  (|n f  (|  )  are  totally  correct  w.r.t.  \i  if  and  only  if 

"V  ' '  PfV'l’V  '  •  •  •  '  V’n’V  '  ■  f’V  •  W  '  ■ 


Proof  of  Theorem  1 

0.  ~w(g,5)  «  *f(g)  3  7  «  ~»f(g)  . 

1. (a)  w(£,v)  «  'f(f)  3  1r(g,f(g))  • 

(b)  ~w(p,~y)  «  -r(5)  3  ~#(S,f(D)]  »  *f(0  A  . 

2.  (a)  ~  Vqlw^l^)  V  w  ,(g,  ~q)  ]  «»  "q[~  w1(|,q)  A  ~  Wg(g,  ~q)  ] 

«  "q[*f\(t)  A  ~q(g,f1(g))  A  >f2(|)  A  q(|,f2(|))] 

«  *^(6)  A  *f2(g)  A  f^g)  /  f,(!) 

«  ~  [yfxd)  A  'fg(g)  3  f^g)  =  f2(g)]  • 

(b)  ~Vq[w_  " j q)  3W2(;,q,  »  nqtw/^a)  A  ~wg(g,q)] 

«»  Sqf  [  ~'‘f1(g)  V  q(*,ri(g))  ]  A  [*f2(g)  A  ~q(g,f2(g))]} 

*  3q{[~*f1(g)  A  %(g)  A  ~q(g,f2(g))] 

V  [-^(g)  A  *f2(g)  A  q(g,f1(g))  A  ~q(g,f2(g))]} 

«  3q[  -^(g)  A  *f2(g)  A  ~  q(g,f2(g))] 

V  Sq^f^g)  A  »f2(g)  A  q(g,f1(g))  A  ~  q(g,l*2(g))] 

*»  [~^(0  A  M2(g)] 

VSqtn^d)  A  ^f2(g)  A  q(S,ri(g))  A  ~q(g,f2(g))] 

«  [~*f1d)A  ¥‘2d)]  V  [*f1(g)  A  *f2(g)  A  fx(g)  /  f 2 ( g )  ] 

»  ~{*f2(g)  3  [*f1(g)  A  fx(g)  =  f2(g)]}  . 

— '  [~A  v  C  ]  A  [B A  ~D  ^  ic  logically  equivalent  to  [~AA  BA  ~D ] V  [Aa  Ba  C  A~D]  • 
[~  A  A  3]  V  [A  A  BA  ~C  ic  logically  equivalent  to  ~{3  3  A  A  C  ]  . 
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(c)  vqlw^q)  =  w2(|,q)  ] 

«  Vq{[w1(|,q)  3  W2(E,q)  ]  A  [  Wg(  q)  3  V.J  q)  ]  ) 

«  Vq[wi(|,q)  z>  w2(£,q)  ]  A  Vq[w0d»q)  3  w1(|,q)  ]  ; 
then  use  2(b) . 


(d)  ~  Vq[~  W-Jljq)  V  ~  w  (|,  ~q)  ]  «  *qq[w1(6, q)  A  Wg( i,  ~q)  ] 

«  aqd-^d)  3  q(|,f1(0)  ]  A  (  *f  ,,(  | )  3  ~  q(|,  f  g(  fj  )  ]  ) 

5/ 

«  ^q {[~  ■'f1(0  A  ~  "fgd)  )  V  [~  *fx(0  A  ~  q(6,f2(6))  ] 

V  IqdjfjU))  A  ~*f2(|)]  V  [qd^U))  A  ~q(6,f2(0)D 

«  ^q([~  *^(6)  A  ~  *f2(|)  ]  V  ~  *1^(6)  V  ~  *f2(6) 

v  [q(6,f,(0)  A  ~  qd,f?(0)]) 

6/ 

«  aq  ([~  *fxd)  V  ~  ^f2(|)] 

V  1*^(6)  A  *f2(|)  A  q(6,f1(6))  A  ~q(l,f2(6))]) 

«  ~*f1d)  V  ~^f2(0  v  ’q^f-JO  A  *f2(0  A  qdjfjd))  A  —  q(l,f*2(l))  ] 

«  -*^(5)  v~*f2d)  v  (>fxd)  a  *f2d)  a  go  /  f2d)] 
l!  ~  dgs)  a  *f2(o  a  go  =  f2d)]  . 


3. (a)  ’Hq1...'*qn{w1d1,q1)  A  ...  A  wn(gg  A 

VV..vyqidi>VA  •••  Aqndn>Tln)  3  *(gg-.-,gg]} 

«  3q1(!1,f1(e1)]A...A[*fn(g  3qn(in,fn(g)] 

A  Vqi...Vqn(q1d1,qi)  A  ...  A  qR  (  g \)  3  V(g  g  .  . g  g  ]  ) 

«  *gg  A  ...  A  *gg  =  ♦(i1,f1di),...,gfn(g)  . 

(b)  ~  Vq1...VqR{w1d1,q1)  A  . . .  A  (g  g  o 

'V.^lq^^i)  A  ...  A  qT)(ln,qn) 

«  =  qi(gridi))]A...At-fn(g  3qndn^n(g)]  A 

” ’ V  •  -Hi1 1l(  !1’  V  A  •  •  •  A  W  V  =  ~  ♦(«!>  V  — '  S„>  V  1 ) 

"  A  ...  A  -fn(tn) 

**  -I'qUA  A  ...  A  -fn(in)  A  i(!1,r1!s1),...,>vfn(sn))]  . 

Q.E.D. 

"  [A3C  ]  A  [  3r>~D  ]  is  logically  equivalent  to  [~A  A  ~3  ]  v  [~A  A  ~D  ]  v 
[C  A  ~  B]  V  [C  A  ~  D]. 

[~A  A  ~B]  V~A  V  ~B  v  [C  A  ~  D  ]  is  logically  equivalent  to  ~AV~Bv[AaBaCa~D], 
~A  M  ~B  V  [A  a  B  a  ~C  ]  is  logically  equivalent  to  ~[A  A  3  A  C]. 
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Example 

Oar  theory  is  bai  ed  on  the  a  :c  arr.pt ion  ’  .at  for  a  given  partial 
function  f  ,  one  knowr  how  to  c  instruct  the  appropriate  second-order 
formula  w  x,  q)  .  The  construction  depends,  in  general*  on  the  (deterministic) 
algorithm  defining  f  .  However,  as  mentioned  in  the  Introduction,  the 
construction  of  w  x, q)  as  alread;,'  eon  inscribed  for  any  classes  of 
determinis* ic  algorit'nms,  rue  a:  :  flowchart  pro  -ram:  loyd  (>  , 

Manna  [7])*  functional  programs  'anna  and  Pnueli  [1"  ),  and  Algol-like 
programs  (Ashcroft  [1  ,  Burrta.ll  [7 

We  shall  illustrate  the  construction  of  w  x,q)  for  the  fac'  rial 
function  over  the  integers  (undefined  for  negative  integers)  defined  by 
four  different  algorithms;  the  first  tw  art  '  .ow  ■  art  programs  and  the 
other  two  are  functional  programs,  hate  t..a  the  -  >rmulai  ret  fleet  t:  c 
computations  of  the  algorithms  in  a  very  natural  way.-' 
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II.  MANY-VALUEE  FUNCTIONS 

One  natural  extension  of  our  results  is  obtained  by  considering 
many-valued  functions  rather  than  single-valued  functions. 

Let  y  =  F(x)  be  a  many-valued  function  mapping  elements  of  D 

X 

into  subsets  of  D__  ;  that  is,  for  every  |eD..  ,  F(£)  is  a  (possibly 

y  x 

empty)  subset  of  D  .We  say  that: 

y 

1.  F(|)  is  defined  if  F(|)  /  0  . 

2.  (a)  F(|)  is  partially  determinate  if 

VylVy2^yleF^  A  y2GF^  3  yi  =  y2I  * 
i.e.,  F(|)  is  either  empty  or  a  singleton; 

(b)  F(|)  is  totally  determinate  if 

F(!)  /  0  A  Vy1Vy2[y1eF(0  A  y2eF(|)  3  =  yg]  , 

i.e.,  F(|)  is  a  singleton. 

Let  \!/(x,y)  be  a  total  predicate  over  D  xD  .  We  say  that: 

x  y 

3.  (a)  F(S)  is  partially  3-correct  w.r.t.  \|f  if 

F(|)  =  0  v  3y[yeF(i)  a  Hr(|,y)  ]  ; 

(b)  F(|)  is  totally  3-correct  v.r.t.  if 

3y[yeF(0  A  i|r(|,y)  ]  ; 

4.  (a)  F(|)  is  partially  V-correct  v.r.t.  ^  if 

Vy[yeF(6)  3  *(|,y) ]  ; 

(b)  F(S)  is  totally  V-correct  w.r.t.  if 

F(s)  h  0  A  Vy[yeF(|)  3  I|r(|,y)  ]  . 

Let  y  =  F1(x)  and  y  =  Fg(x)  be  any  two  comparable  many- valued 
functions,  i.e..  many- valued  functions  with  the  same  input  domain  Dx 
and  the  same  output  domain  D  .  We  say  that: 

y 
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« 


i 


I 

1 

5.  (a)  F^(|)  and  F  (|)  are  partially  non-dis joint  if 

F1(!)  =  0  V  f2(!)  =  0  v  [F1(D  n  f2(0  0  0]  } 

(b)  F^(£)  and  F  (|)  are  totally  non-dis joint  if 

f±U)  n  f2(i)  /■  0  , 

i.e.,  3y15Iy2[y1GF1(6)  A  y2cF2(S)  A  y1  =  yg]  ; 

6.  (a)  F^(|)  and  F  (£)  are  partially  determinate -equivalent  if 

Vy1Vy2[y1fF1(|)  A  y2eF2(E)  3  yx  =  yj  ; 

(b)  F^(|)  and  Fg(|)  are  totally  determinate -equivalent  if 

^(0  0  0  A  Fg(6)  0  0  A  Vy1Vy2[y1cF1(|)  A  y2cF2(|)  3  y1  =  y2 
i.e.,  F^(|)  -  F0(|)  and  they  are  singletons; 

7.  (a)  F^f  |)  is  an  extension  of  Fg(0  if  F^l)  3  F2(|)  ; 

(b)  F1(!)  and  F9(|)  are  equivalent  if  F1(|)  =  Fgd)  ; 

8.  ('a)  F^(|)  and  F0(£)  are  partially  equivalent  if 

F^O  =  0  V  F2(6)  =  0  V  F^S)  =  F2(!)  ; 

(b)  F^(|)  and  F2  £)  are  totally  equivalent  if 

F1(0  0  0  A  F2(|)  0  0A  F1(|)  =  F2(|)  . 

Suppose  that  we  can  formalize  the  property  of  F  being  partially 
correct  by  a  second-order  formula  W(x,q)  in  the  following  sense: 

For  every  £cD  and  for  every  predicate  \|i(x,y)  :  W(|,ty)  if  and  only 


Note  that  the  following  two  properties  of  W(x,q)  are  always  true. 


For  every  £cD  :  (i)  W(|,T)  and  therefore  ?qW(5,q)  ,  and 

(ii)  F(|)=0  =>  VqW(5,q)  . 


Theorem  2 

1.  F(|)  is  defined  if  and  only  if  ~W(|,7)  ; 

2.  (a)  F(|)  is  partially  determinate  if  and  only  if 

Vq[W(|,q)  V  W(|,  ~q)  ]  } 

(b)  F(|)  is  totally  determinate  if  and  only  if 

~W(S,5)  A  Vq[~W(|,q)  V  ~  W(|,  ~q)  ]  ; 

3.  (a)  F(|)  is  partially  ^-correct  w.r.t.  i| /  if  and  only  if 

W(6,5)  V  ~W(|,  ~V)  ; 

(b)  F(|)  is  totally  ^-correct  w.r.t.  \|r  if  and  only  if 

; 

4.  (a)  F(0  is  partially  V-correct  w.r.t.  \|r  if  and  only  if  W(|,\|r)  ; 

(b)  F(|)  is  totally  V-correct  w.r.t.  \|r  if  and  only  if 
~  W(t,3)  A  W(|,i|/)  ; 

5.  (a)  F^d)  and  F^d)  are  partially  non-disjoint  if  and  only  if 

W1(l,5)  VW2(|,J)  Wq[~W1(|,q)  V~Wgd,~q)l  ; 

(b)  F^d)  and  F^d)  are  totally  non-disjoint  if  and  only  if 

Vq[  ~W1(|,q)  V~W2(|,  ~q)  ]  J 
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6.  fa)  F^(|)  and  F  ( |)  are  partially  determinate-equivalent  if  and 

only  if  VqtW^^q)  V  Vfg(|,  ~q)  ]  ; 

(b)  F^(|)  and  F  (!)  are  totally  determinate-equivalent  if  and 

only  if  ~W1(5,*)  A  ~W 2(6,7)  A  VqfW^^q)  V  WgU,  ~q)  )  ; 

7.  (a)  F^( |)  is  an  extension  of  F  (£)  if  and  only  if 

Vq^f^q)  3  W2(£,q)  ]  ; 

(b)  F^(|)  and  F  (|)  are  equivalent  if  and  only  if 

Vq[W1(|,q)  =  W2(6,q)]  ; 

8.  fa)  F^(|)  and  i0(|)  are  partially  equivalent  if  and  only  if 

V^d,?)  V  W2(6,7)  V  VqtW^q)  s  W2(£,q)  ]  ; 

(b)  F^d)  and  F  (*)  are  totally  equivalent  if  and  only  if 

~W1d,?)  A  ~W2(|,?)  A  Yq[W1(5,q)  =  W2(|,q)]  . 

Proof  of  Theorem  2 

1.  ~w(6,7)  «  ~Yy[ycF (J)dJ  «  Sy[ycF(|) ]  «  F(|)  /  0  . 

2.  fa)  ~Vq[W(|,q)  V  W(|,  ~q)  «  7q[  ~W(£,  q)  A  ~  W(£,  ~q)  ] 

«  ^qftylycFfl)  a  ~  q(l,y)  ]  a  ’tytyeFd)  a  q(£,y) ]} 

«  ^y^y^d)  A  y2r?(0  A  f  y2) 

«  ~  Yy1Vy2[y1rFd)  A  y2cF(*)  =>  ^  =  y2l  . 
fb)  Follows  from  1  and  2(a) . 

3.  (a)  Follows  from  1  and  3ft). 

fb)  ~Wd,~M0  »  ~  Yy[ycF(|)  3  ~  t(|,y)  ]  «  7y[ycF(|)  A  i(|,y)  ]  . 
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I 
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r 

r 

r 

r 

i 

r 

E 

r 

«  w 

i; 

i: 

i: 

i: 

[ 

i; 

i; 

o 

[] 


h.  a)  W(5,*)  «  Vy[yrF  ')  -  >d,y) j  . 

(b)  Follow:'  from  1  and  1(a). 


5.  (a)  Follows  from  1  and  5(b)* 

(b)  ~  Vq[  ~W1(|,q)  V  ~  Wg(S,  ~q)  ]  «  q)  A  Wgd*  ~q)  ] 

«  7a (Vy[ycF1  ?)  •  q(',y)  J  A  VytyFgd)  3~q(l,y)]J 
«  Vy1Vy0[y1rF1(|)  A  y^FjO  =>  y±  /  y^l 

«  ~  F!  p)  A  y2rF2(0  A  y1  y2i  • 

6.  (a)  ~  Vq[W1(5,q)  V  Wg(g,  ~q)  ]  «  7q[  ~  W^t^q)  A  ~  W2(|,  ~q)  ] 

«■»  ”qf3y[ycF1(|)  A  ~qd,y)]  A  'fylyeF^t)  A  q(l,y)]) 

«  '^y1^y2[y1cF1  o  A  y?.F2d)  A  y±  /  y2) 

«  ~  Vy1Vy2[y1rF1  f)  A  y^cF^O  d  y±  =  y2]  . 

(b)  Follows  From  1  and  (a). 


7.  (a)  -YqlWjd^q)  3  W2(S,q)l  «  ^qlW^^q)  A  ~  W2(|,q)  ] 

«  aqdy[ycF1(«)  q(l,y)  J  A  qy[ycF2(0  A  ~  q(|,y)  ]) 
«  ^ylycFgd)  a  y/Fx(g)  ]  «  ~  [F1d)  • 

(b)  Follows  from  7 (a.), 

8.  (a)  and  (b)  Follows  from  1  and  7d)* 


Q  «E .D • 
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III.  AUGMENTED  MANY -VALUED  FUNCTIONS 


In  order  to  formaline  several  more  natural  properties  of  &  non- 

deterministic  algorithm  it  is  usually  not  sufficient  to  consider  it  as 

defining  a  regular  many-valued  function  F  (mapping  elements  of 

into  subsets  of  ) ,  tut  rather  as  defining  an  augmented  many-valued 

function  F4  ,  mappinr  elements  of  D  into  non-empty  subsets  of 

y  (*)  .  Thus,  for  example,  for  some  algorithm  with 

D  =  D  {the  int  e  ers }  we  write  F+(7)  =  {3#5>°°)  Do  mean  that 
x  y 

for  input  x  =  7  :  there  is  at  least  one  finite  computation  of  the 
algorithm  yielding  y  =  3  ,  there  is  at  least  one  finite  computation 
of  the  algorithm  yielding  y  -  5  >  and  there  is  at  least  one  infinite 
computation.  We  say  that: 


1. (a)  F+(p,  is  "-defined  if  ~y[yrl"t(t)  Ay/®]  ; 

(b)  F+(‘)  is  '•''-defined  if  Vy[yrF^(|)  to  y  /  °°  ]  . 

2.  (a)  F  (e, ;  is  partially  determinate  if 

YyiVy2[yV-r  (P)  A  y0-:F  (0  A  y1  /  ®  A  y^  /  “  D  1  5 

(b)  F+(£)  is  totally  determinate  if 

Vy3Vy Jy1cF+U)  A  y;vF+  *)  y1  /  ®  A  yg  /  ®  A  y±  -  y?)  . 

3.  (a)  F~t(p)  is  partially  7-correct  w.r.t.  ^  if  3y  {ycF+( |)  A  [y  /°°  to  £,y) ] } 

(b)  F+(|)  is  totally  "-correct  w.r.t.  i i  if  3y[yeF+(|)  A  y  / ®  A  ty(|,y)  ]  . 

A.  (a)  F+(|)  is  partially  V-correct  w.r.t.  V  if  Vy[y'  F+(l)  A  y /°°  |,y)  ] ; 

(b)  F+(P)  is  totally  V -correct  w.r.t.  if  Vy[yeF+(£)  3  y  /  °°  A  |,y)  ]  . 


Let  y  =  F*(x)  and  y 
many-valued  functions,  i.e., 
and  the  same  output  domain 


Fn(x)  be  any  two  comparable  augmented 

functions  with  the  same  input  domain  D 

D  .  We  say  that: 

7 


5- (a) 

F*(!)  and  Fg(|) 

are  partially  ? -equivalent  if 

(b) 

^yX 2 Fi'^ 

F*(6)  and  Fg(0 

A  y9fF^'e  a  [y^  /  ~  a  y2  /  c«  ,  yi  =  y 2  ] }  ; 

are  totally  "-equivalent  if 

6.  (a) 

yl  y2^yl‘  rl 
F^(l)  and  F^(  ? ) 

A  y2-Pg(i)  A  /  «  A  ;/2  /  x  A  yx  ygl  ; 

arc  partially  determinate-equivalent  if 

YylVy2[ylfFi(£) 

A  y2eF2(0  A  yx  /  »  a  y2  /  »  3  yx  yj  ; 

(b) 

F*(‘)  and  F*'5) 

are  totally  determinaue-equivalent  if 

7.  (a) 

Vy^Iy^d)  a  yyF^O  =>  yx  /-  »  a  yg  /  »  A  yx  =  y2]  ; 
F*(0  partially  extends  F*(0  if  [F*(0  -  {“}]  2  (F^U)  “  M] 

(b) 

F*(5)  totally  extends  F*(|)  if  F*(|)  3  Fg(|)  ; 

8 .  ( a) 

F*(5)  and  F2(0 

are  partially  equivalent  if 

[F +  (!)  -  {«}] 

[f2(0  -  M)  ; 

(b) 

F*(5)  and  F2(|) 

are  totally  equivalent  if  F^(|)  =  F2(|)  . 

Suppose  that  we  can  formalize  the  properties  of  F+  being  partially 

q 

^-correct  and  partially  Y-correct  by  second-order  formulas  W'(x,q)  and 

\r 

Wv(x,q)  ,  respectively,  in  the  following  sense: 

For  every  £cD  and  for  every  predicate  ty(x,y)  over  D  xD  : 

_ * _ x  y 

if  and  only  if  :?y(y€F+(|)  A  [y  /  °°  3  t(£,y)  ])  , 

and 

if  and  only  if  Yy[ycF+(t)  A  y  /  «  p  fr(|,y)  ]  • 

n  V,  V 

Note  that  the  following  properties  of  W  (x, q)  and  W  (x,q)  are 

q ,  q 

always  true.  For  every  |cDx  :  i'  vr(|,T)  and  therefore  7qW"*(|,q)  , 

(ii)  WV(|,T)  and  therefore  FqW^(|,q)  >  (iii)  °°<"F+(|)  3  YqW  (|,q)  , 
and  (iv)  F+(|)={®}  =3  VqW^(f.q)  . 
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I 

1 

T 


Theorem  3 


1. (a)  F+(£)  ic  ^-defined  if  and  only  if  ~W^(£,7)  ; 

(b)  F+(£)  ic  V-defined  if  and  only  if  ~W'(£,3)  ; 

2.  (a)  F  (P)  ic  partially  determinate  if  and  only  if  Vq[Vr(£,q)  v  Wv(|,  ~q)  ; 

(b)  F+(|)  ic  totally  determinate  if  and  only  if  Yq[  ~W  (£,q)  V  ~q)  ]  ; 

+  'q 

3.  (a)  F  (|)  is  partially  "-correct  w.r.t.  i  if  and  only  if  VT  (|,^)  ; 

j  v 

(b)  F  (|)  ic  totally  3-corrcct  w.r.t.  i  if  and  only  if  ~Vr(|,  ~i{r)  ; 

|  1J 

4.  (a)  F  (0  ic  partially  Y-correct  w.r.t.  \|/  if  and  only  if  VT  (£,i)  ; 

(b)  F  (0  is  totally  Y-correct  w.r.t.  \Jf  if  and  only  if  ~W“(£,  ~ty)  ; 

5.  (a)  F*(£)  and  F*(|)  are  partially  ^-equivalent  if  and  only  if 

Vq[wJ(|,q)  V  W^(|,~q)]  ; 

(b)  F*(£)  and  F^(£)  arc  totally  "-equivalent  if  and  only  if 

Vq[~wJ(E,q)  V  ~  q)  ]  ; 

1  .(a)  F*(£)  and  F*(£)  are  partially  determinate-equivalent  if  and 

only  if  Vq[W^U,q)  V  wl(|,  ~q)  ]  ; 

(b)  F+(£)  and  F*(£)  are  totally  determinate-equivalent  if  and 

only  if  Yq[~W'1(|,q)  V  ~Wg(£,  ~q)  ]  ; 

7 •  (a)  F*(|)  partially  extends  F*(£)  if  and  only  if  Yq[W^( £, q)  d  W^(£,q)  ]  ; 

(b)  F*(£)  totally  extends  F*(£)  if  and  only  if  Vq^U^q)  =>W£(£,q)]  ; 

8. (a)  F+(i)  and  F+,(£)  are  partially  equivalent  if  and  only  if 

Vq[W^(|,q)  =  Wg(£,q) ]  ; 

fb)  F*(|)  and  F+(£)  are  totally  equivalent  if  and  only  if 

Vq[VT(f,q)  =  W7(?,q)  ]  . 


•m 

i 

I 
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r 

r 
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Proof  of  Theorem  y 

l.ia)  ~  W¥(:,Sr)  «  ~Yy[y*F  (?)  a  y  /  ®  3  7]  «  Sy[y*'F+(')  A  y  /  ®]  . 

~  W"  '>?)  r5  ~  yfy  r  •)  A  [y  /  ®  3  7]]  «  Yy[yrF+(P )  3  y  /  ®]  . 

Ja)  ~  Vq[WY(*,:«)  J  VY  *  .  ~  .)  ]  r»  ~q[  ~WY(-,q)  A  ~  WY(|,  ~q)  ] 

”  Qf  — Vyl  :  a  y  /  at  ~  q  ;  1  y)  ]  a  ~  Yy[y  F+(s )  A  y  /  ®  3  ~  q(  ,y)  ]} 

«  -qfqyjy.  I  '■  A  y  /  ®  A  ~  q(  F,y)  a  3y[ycF+  (5)  Ay/®  A  a(£,y)]} 

;5  “y^'y  [y1'F+  :  A  .  1  /  ®  A  y  F4(|)  a  y,  /  ®  A  yx  /•  y2] 

w  ~  Vy1Yy2[y1.:F*  (6)  A  y^b'  (5)  A  yx  /  ®  A  y2  /  ®  3  =  y  ]  . 

(b)  ~  Vq[  ~W  (*,q)  V~W(|,~q)]  «  7q[W"*( £, a)  A  W“ {i,  ~q)  ] 

0  ”q^y{y  -’+  c  a  [y  /  «  o  q  Sy)  j}  a  'ly{y-F+(0  a  [y  /  ®  3  ~  q(|,y)  ]}} 
*»  2y1^Iy2{y1<-K+(?)  a  y  -/(I)  A  [yx  /  ®  a  y^  /  oy^  yj} 

~  Vy1Vy2[y1--F+(|)  a  y  <F+(?)  3  y1  /  »  A  y2  /  ®  a  yx  y2]  . 

•r«0  '/  p,v)  »  7y{ycF+(0  A  [y  /  ®3’f(*,y)]]  . 

ib)  ~  WY(|,  ~*)  :>  ~  Vy[y>:F+(|)  A  y  /  ®  3  ~  *(|,y)  ] 

«  lyty^V.)  A  y  /  CD  A  v  '  !,y)  ]  . 

U.(a)  WY/£,t|0  o  Vy[ya,f(|)  a  y  /  ®  3  v(?,y)  ]  . 


(b) 


5-(a) 


(b) 


<>  ~3y{ycF+(£)  A  [y  /  ®  3  -  'Kl,y)  ]} 

«  Vy[yeF+(5)  3  y  /  ®  a  t(|,y)]  . 

~  Vq[W£(|,q)  V  W^(|,  ~q)  ]  «  3q[  ~W£(|,q)  A  ~  W^(|,  ~q)  ] 

«  -q{Vy[ycF*(|)  3  y  /  *  A  ~q(S,y)]  a  VytycF^U)  3  y  /  ®  a  q(£,y)]} 

»  Vy1Vy2[y1cF^(|)  a  y9€F2(t)  3  yx  /  »  a  y2  /  ®  a  yx  /  yg] 

«»  ~  3y1'-y2fy;icK^(|)  a  y2'.F g(S)  a  [y1  /  ®  a  y2  /  ®  3  ^  =  y2 ] }  . 

~Vq[~WY(£,q)  V  ~  WY(|,  ~  q)  )  «  Sq[WY(|,q)  A  WY(£,  ~q)] 

«  3qfYy[yrF*(£)  A  y  /  ®  3  q(l,y)l  A  Yy[ye?2(£)  Ay/®  3~q(|,y)  } 

ylYy^y;]yFl^  a  y1  /  ®  a  y2cF2(£J  a  y2  /  ®  3  yx  /  y2) 
^^[y^-F^d)  a  y2  :F2(0  A  yx  /  ®  a  y2  /  ®  a  yx  y£]  • 


«  V 
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r.(a)  ~  Yq[wJ(6,q)  V  W^i,  ~  q)  ]  «  7q[  ~W*(|, q)  A  ~  w|(|,  ~q)  ] 

«  3q{3y[ycF+(0  a  y  /  ®  a  ~  q(l,y)  ]  a  7y[ycF*(!)  a  y  /  «  /> 
«  3y13y2[y1cF^(|)  A  ®  a  y2cF+(£)  A  yg  ^  ®  A  yx  /  y2] 

«  ~  Yy1Vy:[y1cF^(|)  a  y2cF2(!)  A  /-»  A  1'2  /  ®  d  yx  =  y, 

(b)  ~  Yq[  ~WJ(|,q)  V  ~W2(|,  ~q)  )  «  3q[W£(|, q)  A  W^( ! ,  ~q)  ] 

«  3q{3yfy€F*(S)  a  [y  /  «  d  q(£,y)]}  a  SytycF^U)  a  [y  /  » 
«  3y13y2{y1cF^(6)  a  y2cF2(!)  A  lyx  /  ®  A  y2  /  ®  D  Yl  /  y2] 
«  ~  Yy-jYygly^F^d)  a  y2rF2^)  ^  Yj_  /  °°  a  y2  /  ®  a  =  y£ 

7- (a)  ~Vq[wJ(£,q)  3  W*(t,q)  ]  «  3q[W^(|,q)  A  ~  W*(|,q)  ] 

«  3q{Vy[ycF*(|)  a  y  /  «  3  q(',y))  a  3y[ycF2(£)  A  y  f  ®  A  ~ 
«  3y[ycF2(|)  a  y/»A  y/F*(i) ) 

«  ~Yy[yrF2(0  a  y  /  ®  =>  ycF*(0)  • 

(b)  ~Yq[W“(|,q)  3W'(5,q)]  «  3q[W^(|,q)  A  ~  W£(|,q)  ] 

«  3q{Sy{ycF2(|)  a  [y  /-  *  3  q(!,y)]}  a  Yy[ycF*(|)  =>  y  /  •  a 
«  3y[ycF2(|)  a  y/F^(|)] 

«  ~  Yy[ycF2(|)  =)  ycF^(|)  ]  . 

8.  (a)  Follows  from  7(a). 

(b)  Follows  from  7(b). 

Q.E 


'  q(5»y)  ]} 

J  ’ 

3  ~  q(l,y)  ]}} 
1} 

J  * 

-  q(l,y)  ]} 

~  q(f=,y)  ]] 
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Example 


« 


The  construction  of  W'  Xjq'1  and  VT  x,  q)  an  already  been 
described  for  several  classes  of  non-deterministic  algoritiuns,  suci  as 
non-deterministic  programs  (Manna  [9  )  and  parallel  programs  (Ashcroft 
and  Manna  [  2 ]) . 

We  shall  illustrate  the  construction  of  W  x,  q)  and  Vr‘(x,  q) 
for  r.  non-deterministic  program  computing  the  factorial  function. 

In  the  program  below  a  branch  of  the  form 

A 

is  called  a  choice  branch  and  means  tiiat  upon  execution  of  the  program, 
at  this  point  we  are  allowed  to  proceed  with  either  branch,  chosen 
arbitrarily.  The  execution  of  the  program  proceeds  until  =  zl  ; 
then  y  =  • 

For  x  =  3  ,  for  example,  there  are  30  different  possible  executions 
of  the  program:  5  of  them  are  represented  by  table  1  below,  10  by 
table  2,  10  by  table  3,  and  5  by  table  k . 


“1 

•y 

2 

zi 

zi 

“2 

•7  * 
“1 

~  f  f* 

“2  “1 

Z2 

r»  f 
“1 

Z2  Z1 

Z2 

Zi 

1 

3 

1 

0  1 

3 

1 

0  1 

3 

1 

0  1 

3 

1 

3 

2 

3 

2 

1 

1  3 

2 

1 

1 

1 

3*2 

1 

3*  2 

1 

1-2 

2 

1"  2 

3-2-1 

0 

1-2-3 

table  1 


table  2 


table  3 


table  b 
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W^(x,q)  is 
^P-j^Pg  rp1  ( x,  1,  x,  1, 0 ) 


A  Vz1Vz2Vz'_Vz»[p1(x,  z^z^z'^z^)  3  if  z2  =  z^  then  qfoz^z^) 

else  p2(x,z^,  z^,  z^,  zj,)  ] 

A  VZ-VZpVz’Vz' [p^  (x,  z  ,  zr ,  z' , Z* )  D  p  (x, z  •  z  ,  zQ-l, z', z' )  V 

A.  ^  A.  C.  Cm  A.  Cm  Am  Cm  1  Am  Cm  C.  Am  Cm 

P1(x,z1,z2,z^*(z^+l),z^+l)  ]}  . 


WV(x,q) 


is  similar,  with  the  ' v'  connective  replaced  by  'A*. 


30 
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COMMENTS 

1.  There  are  clearly  many  natural  extensions  of  our  results.  We  shall 
present  here  just  one  example. 

Let  and  fn  be  any  two  comparable  partial  functions,  and  let 

TP(*f1(x),*f0(x))  called  the  termination  property,  be  any  formula 
constructed  from  primitives  *f^(x)  and  *f^(x)  an^  ProPositional 
connectives  ~  ,  r>  ,  A  ,  V  and  =  . 

We  say  that  f^(|)  and  f^d)  are  e<lui'valent  w.r.t.  TP  if 

TPC^d),*^!))  A  df-jU)  A  *f2(|)  ^  fx(6)  =  f2(l)]  ;  i.e.,  if  f^ft) 
and  f2d)  satisfy  the  termination  property  TP  and  if  f-(|)  and 
f2(!)  are  defined,  then  f^S)  =  f 2( i)  . 

By  specifying  TP  we  obtain  as  special  cases  all  the  notions  of 
equivalence  introduced  in  Part  I  (2(a) -(d)):  (a)  partial  equivalence 

(TP  is  T)  ,  (b)  extension  (TP  is  *f2(x)  =>  *f1(x))  > 

(c)  equivalence  (TP  is  *f^(x)  =  *fg(x))  ,  and  (d)  total  equivalence 

(TP  is  *f1(x)  A  *f  (x))  . 

The  following  result  follows  from  Theorem  1  (0  and  2(a)): 

Theorem :  f-^(l)  and  f2(!)  are  equivalent  w.r.t.  TP  if  and  only  if 

TP(~w1(|,7),  ~w2(|,St))  A  Vq[w1(|, q)  V  Vgd,  ~q)  ]  . 

Thus  the  theorem  gives  second-order  formulas  for  the  above  four 
properties  by  appropriate  substitutions  for  TP  .  However,  Theorem  1 
(2(a) -(d))  gives  simpler  second-order  formulas  for  the  same  properties. 
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In  general, 


Similarly,  one  can  extend  the  notions  of  correctness, 
any  property  an  be  formalized  in  second-order  predicate  calculus,  if 
it  can  be  expressed  as  a  composition  of  some  of  the  basic  formulas 
(that  were  formalized  in  our  theorems)  using  propositional  connectives 
(~  ,  A  ,  V  ,  D  and  s)  .  The  appropriate  second-order  formula  is 
then  the  propositional  composition  of  the  corresponding  basic  second- 
order  formulas.  This,  for  example,  was  the  way  we  formalized  several 
properties  in  Part  II. 


2.  Note  that  among  the  'equivalence  properties'  defined  in  Part  I, 
only  equivalence,  i.e.,  property  2(c),  is  really  an  equivalence 
relation  (i.e.,  reflexive,  symmetric  and  transitive)  as  can  be  seen 
from  the  following  table: 


property 

other  names 
used  in 
publications 

reflexive 

relation 

symmetric 

relation 

transitive 

relation 

equivalenc  e 
relation 

partial 

equivalence 

weak 

equivalence 

yes 

yes 

no 

no 

extension 

inclusion 

yes 

no 

yes 

no 

equivalence 

strong 
equivalenc  e 

yes 

yes 

yes 

yes 

total 

equivalence 

(termination) 

equivalence 

no 

yes 

yes 

no 

Among  the  'equivalence  properties*  defined  in  Parts  II  and  III  only  property 
7(b)  in  Part  II  and  properties  8(a) (b)  in  Part  III  are  equivalence  relations. 
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3.  Cur  results  imply  that  the  second-order  formula  formalizing  the 
'partial  correctness'  of  a  given  algorithm  represents,  in  some  sense, 
all  input-output  relations  of  the  computations  of  the  algorithm. 

In  general,  all  our  results  hold  even  if  the  formulas  w  ,  W  and 
-VT  formalize  partial  correctness  in  the  following  weaker  sense: 

For  every  seD^.  and  for  every  predicate  ^(x,y)  over  x . 

(i)  *(!,♦)  if  and  only  if  3q([*f(0  =)q(|,f(0)  ]  A  Vy[q(|,y)  =>4r(S»y)  ] }  ; 

(ii)  W(5,i|f)  if  and  only  if  ^q (Vy[yeF(  |)  3 q(|,y)  ]  A  Vy[q(|,y)  r  i(l,y)  ] }  ; 

(iii)  Wq(|,\(r)  if  and  only  if  3q (3y (y^F+(|)  A  [y  /  °°  3  q(|,y)]}  A 

Vy[q(l,y)  =>  *(t,y)  ]) 

and 

WV ( 5, if  and  only  if  3q(Yy[ycF+(0  A  y  /  °°  3  q(|,y)  ]  A 

Vy[q(!,y)  o  ^U,y)  ] }  . 


4.  All  the  properties  mentioned  so  far  were  defined  and  formalised  for 
fixed  input  values.  One  can  extend  all  the  definitions  and  the  corresponding 
formulas  to  hold  over  seme  total  input  predicate  tp(x)  ,  which  means  that 
the  property  should  hold  for  every  leD^  s.t.  cp(|)  =  T  .  More 
precisely,  if  property  P  for  |eD  was  formalized  by  W_(|)  ,  then 

X  Jr 

the  property  P  holds  over  input  predicate  cp(x)  if  and  only  if 
Vx[q?(x)  3  Wp(x)  ]  . 
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5-  The  formulas  w  ,  W  and  W  -  W '  constructed  in  previous 
publications  for  various  classes  of  algorithms  share  an  important 
common  feature:  all  additional  predicate  symbols  introduced  in  the 
formulas  are  existentially  quantified  (see  examples  above).  This 
is  because  the  additional  symbols  were  always  introduced  for  the 
same  purpose,  namely  to  cut  the  algorithm  into  pieces  which  can  be 
formalised  directly. 

In  this  case  certain  properties  happen  to  be  formalized  by 
first-order  formulas,  (i.e.,  all  predicate  symbols  are  universally 
quantified);  for  example,  properties  0,  1(b)  and  2(d)  of  Part  I, 

1,  2(b),  3(b)  and  5(b)  of  Part  II,  and  1(a),  1(b),  2(b),  3(b),  U(b), 
5(b)  and  6(b)  of  Part  III. 
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Ln-tbis  work  we-  show  that  it  is  possible  to  formalize  all  properties 
regularly  observed  in  (deterministic  and  non-deterministic)  algorithms 
in  second-order  predicate  calculus. 

Moreover,  we  show  that  for  any  given  algorithm  it  suffices  to  know 
how  to  formalize  its  "partial  correctness"  by  a  second-order  formula 
in  order  to  formalize  all  other  properties  by  second-order  formulas. 


This  result  is  of  special  interest  since  "partial  correctness"  has 
already  been  formalized  in  second-order  predicate  calculus  for  many 
classes  of  algorithms. 


This  paper  will  be  presented  at  the  ACM  Symposium  on  Theory  of 
Computing  (May,  1970). 


